View previous topic :: View next topic |
Author |
Message |
The Dab Cheater Reputation: 0
Joined: 22 May 2017 Posts: 33
|
Posted: Sat Jun 24, 2017 4:18 pm Post subject: Finding pointers with aob scripts? |
|
|
Hello, I know this is my second post on this topic but I have seen to reach a problem when it comes to finding the base address, again. Usually what I will do is what is shown below.
Code: |
[ENABLE]
aobscan(INJECT,48 89 81 68 01 00 00 48 3D) // should be unique
alloc(newmem,$1000,7FF9C41D67F6)
label(code)
label(return)
registersymbol(base)
alloc(base,8)
newmem:
push rax
lea rax,[rcx]
mov [base],rax
pop rax
code:
mov [rcx+00000168],rax
jmp return
INJECT:
jmp newmem
nop
nop
return:
registersymbol(INJECT)
[DISABLE]
INJECT:
db 48 89 81 68 01 00 00
unregistersymbol(base)
dealloc(base)
unregistersymbol(INJECT)
dealloc(newmem)
|
Now I am trying to work on a different game and it gives me this.
Code: |
[ENABLE]
aobscan(coins,41 89 48 3C 48 8B 4D E8 48 89 4A 58 48 8B E5 5D C3 00 00 00 00 00 00 00 00 00) // should be unique
alloc(newmem,$1000,47A8489B787)
label(code)
label(return)
newmem:
code:
mov [r8+3C],ecx
mov rcx,[rbp-18]
jmp return
coins:
jmp newmem
nop
nop
nop
return:
registersymbol(coins)
[DISABLE]
coins:
db 41 89 48 3C 48 8B 4D E8
unregistersymbol(coins)
dealloc(newmem)
|
Unlike the first script I am given two mov opocodes instead of one. Can someone explain how I will write the base address into "base" with two mov opocodes?
|
|
Back to top |
|
|
OldCheatEngineUser Whateven rank Reputation: 20
Joined: 01 Feb 2016 Posts: 1587
|
Posted: Sat Jun 24, 2017 4:31 pm Post subject: |
|
|
its the same!
what register you want the base address of it?
r8 or rbp
_________________
About Me;
I Use CE Since Version 1.X, And Still Learning How To Use It Well!
Jul 26, 2020
STN wrote: | i am a sweetheart. |
|
|
Back to top |
|
|
The Dab Cheater Reputation: 0
Joined: 22 May 2017 Posts: 33
|
Posted: Sat Jun 24, 2017 4:50 pm Post subject: |
|
|
OldCheatEngineUser wrote: | its the same!
what register you want the base address of it?
r8 or rbp |
So I tried using both r8 and rbp and they both came up as completely random values when I added them. I need to find a way to combine both r8 and rbp.
|
|
Back to top |
|
|
OldCheatEngineUser Whateven rank Reputation: 20
Joined: 01 Feb 2016 Posts: 1587
|
Posted: Sat Jun 24, 2017 4:56 pm Post subject: |
|
|
in case you want both of them and tried to do it for both, then post the script here maybe i can do something with it, or any other experienced cheater can also help.
_________________
About Me;
I Use CE Since Version 1.X, And Still Learning How To Use It Well!
Jul 26, 2020
STN wrote: | i am a sweetheart. |
|
|
Back to top |
|
|
ParkourPenguin I post too much Reputation: 140
Joined: 06 Jul 2014 Posts: 4289
|
Posted: Sat Jun 24, 2017 6:29 pm Post subject: |
|
|
The fact that there are two instructions only means the first instruction isn't big enough to replace with a jmp. Do as you normally would and save r8. If it isn't what you expect it to be, it's probably because that instruction is accessing more than one address.
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
Back to top |
|
|
OldCheatEngineUser Whateven rank Reputation: 20
Joined: 01 Feb 2016 Posts: 1587
|
Posted: Sat Jun 24, 2017 7:00 pm Post subject: |
|
|
ParkourPenguin wrote: | If it isn't what you expect it to be, it's probably because that instruction is accessing more than one address. |
thumbs up, i agree with him. in this can he can use:
"find out what addresses this instruction accesses"
and then compare them in dissect data/structures or structure spider.
then he do his compare right before moving the base address of R8.
parkour, i like the way you think. cheers buddy.
_________________
About Me;
I Use CE Since Version 1.X, And Still Learning How To Use It Well!
Jul 26, 2020
STN wrote: | i am a sweetheart. |
|
|
Back to top |
|
|
The Dab Cheater Reputation: 0
Joined: 22 May 2017 Posts: 33
|
Posted: Sat Jun 24, 2017 7:22 pm Post subject: |
|
|
ParkourPenguin wrote: | The fact that there are two instructions only means the first instruction isn't big enough to replace with a jmp. Do as you normally would and save r8. If it isn't what you expect it to be, it's probably because that instruction is accessing more than one address. |
So I don't know why I thought of this before, thank you for reminding me. It does access more than one address, what should I do now?
|
|
Back to top |
|
|
ParkourPenguin I post too much Reputation: 140
Joined: 06 Jul 2014 Posts: 4289
|
Posted: Sat Jun 24, 2017 8:32 pm Post subject: |
|
|
Because you're only looking to copy the address, the easiest solution would be to find a different injection point. If you don't want to do that:
++METHOS wrote: | You will need to segregate any code that you intend to manipulate.
++METHOS wrote: | - You can use a pointer address for your filter, inside of your script, for the value that you are trying to manipulate.
- You can use pointer trees inside of the data structure to find something viable.
- You can shift the data structure (+ or -) and/or expand its size to find something useful.
- You can use the structure spider to find workable strings and/or for comparative analysis.
- You can check the register values by attaching the debugger or setting a breakpoint to see if something can be used for your filter.
- You can check to see if there are any instructions that are exclusive to the address/value that you are trying to manipulate and store the address for your filter by creating a second injection point.
- You can check to see if there are any instructions that are exclusive to any other address/value inside of the data structure for the address/value that you are trying to manipulate and store the address for your filter by creating a second injection point.
- You can analyze assembly code to see if an identifier is being checked or assigned somewhere.
- Et al.
|
|
(this question has been asked many times; use Google to find topics with answers or tutorials)
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
Back to top |
|
|
|